Saltzer's and Schroeder's Design Principles

Principle of Economy of Mechanism

Principle of Fail-safe Defaults

The protection mechanism should deny access by default, and grant access
only when explicit permission exists.

Principle of Complete Mediation

The protection mechanism should check every access to every object.

Principle of Open Design

The protection mechanism should not depend on attackers being ignorant
of its design to succeed. It may however be based on the attacker's
ignorance of specific information such as passwords or cipher keys.

Principle of Separation of Privilege

The protection mechanism should grant access based on more than one
piece of information.

Principle of Least Privilege

The protection mechanism should force every process to operate with the
minimum privileges needed to perform its task.

Principle of Least Common Mechanism

The protection mechanism should be shared as little as possible among
users.

Principle of Psychological Acceptability

The protection mechanism should be easy to use (at least as easy as not
using it).